Additional opportunities to prevent email abuse through domain matching?

[jerrybell]

Hello,

I've had an unfortunate string recently with email accounts being hijacked by spammers and used to relay spam through my server. I don't know if the spammers are getting the email through malware on the PC of the account owner, sniffing wifi connections, or offering chocolate bars to the users, but it's happened 3 times in about 6 months.

In any event, I noticed that in each case the spammers are using a completely fake from address - usually @aol.com or some other big name domain.

It seems to me that I should not be allowing email to be sent through my server where the domain in the from address is not a local domain or some domain that I explicitly allow. Is there an option to enable this kind of restriction?

It would be even nicer if I had the option to limit authenticated senders to only sending from the address they authenticated with. So, if I auth with the name "[email protected]", I can only send email where my from address is "jerr[email protected]". Is there a reasonable way to do this?

Thanks much!

Jerry

 

[cPanelMichael]

Hello

You may find the following option in "WHM Home » Service Configuration » Exim Configuration Manager" under the "Mail" tab useful:

"EXPERIMENTAL: Rewrite From: header to match actual sender"

Per it's description:

"If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected."

Thank you.

 

[vanessa]

I didn't test this, but theoretically you can add this to the ACL section of exim.conf (WHM -> Exim Configuration Manager -> Advanced)

acl_check_sender: 
   accept authenticated = * 
   deny !sender_domains = +local_domains

This would basically make sure the sender is a local domain on the server, but will not go as far as matching the email addresses.

 

[brianoz]

This would basically make sure the sender is a local domain on the server, but will not go as far as matching the email addresses.

Vanessa - that's really useful. Is there a way to provide a specific message? I'd like to track a resulting log message and use that to disable that SMTP user as they've obviously been hacked.

 

[vanessa]

Vanessa - that's really useful. Is there a way to provide a specific message? I'd like to track a resulting log message and use that to disable that SMTP user as they've obviously been hacked.

This might work (again, didn't test. I'm sorta lazy):

acl_check_sender: 
   accept authenticated = * 
   deny !sender_domains = +local_domains
   log_message = "Sender domain does not match authenticated domain."
   message = "Sender domain does not match authenticated domain."

 

[Dayneuske]

I am having the same issue as OP and would love to implement the fix proposed by vanessa.

However, I am not able to find the "acl_check_sender:" section of the advanced exim configuration manager. Doing a search for the setting has not helped any either.

Can you tell me if this is a custom acl that needs to be added or if my version of the advanced exim configuration manager is messed up?

If there is documentation on this setting can you provide the link and let me know the search terms used to find it? (Always looking to improve me search skills)

 

[cPanelMichael]

There is more discussion of that ACL here which you may find useful:

acl_deny_sender

Thank you.